Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Possible trojan or something

Hi all - first I want to say thanks in advance to anyone who can help. Second, I have little to no idea what I'm doing, so forgive a giant dump of info but hoping someone on here can help. I think I have adware or spyware or something not right on my MacBook Air.


It's been acting a little weird for a while - maybe because its 4 or 5 years old or maybe because there has been something on it for a long time and i didn't realize it. For quite a while, I've noticed the little beach ball pinwheel thing popping up more than normal when I'm online. Also, there's something wrong with the mousepad on my computer and I have to press down very hard to scroll or do anything (i.e. cut and paste a sentence - my fingertips get swollen because I need to press so hard). But the severity of the problem got worse tonight. I was doing research on ISIS propaganda videos for an article, and went to a website listed on the first page of google for some version of that search term. I went on, clicked on a video and a big gray message popped up saying I was infected and to call some number - I couldn't X it out or do anything so immediately shut down my computer using the power key. Obviously - I didn't call the number.


I turned it back on and started noticing infolinks and excessive popups everywhere. My already sort of slow Mac is way worse. That rainbow pinwheel pops up every time I click on anything now, especially when I use sidebars to scroll. There's a huge delay between typing a word and it showing up on the screen - especially while searching on Goolge. Everything is just acting weird. I've been searching various forums for the past few hours - and below is the result of everything that showed up in terminal. Can anyone take a look and see if any of the files don't look right? I was actively searching for the flashback and ventir trojans, as well as key loggers. One file of concern is softRAID.kext. And some of the adobe files.


Oh - I also tried to search in terminal for files I know are malicious, and anytime I tried searching - permission was denied. I'll include an example of that below. Anyway, thanks so much to anyone who can help!

Last login: Sat Oct 10 03:01:55 on ttys000

rebekahs-MacBook-Air:~ rebekah$ kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

rebekahs-MacBook-Air:~ rebekah$ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfi x|x)/{print $3}'

Password:

com.microsoft.office.licensing.helper

com.adobe.SwitchBoard

com.adobe.fpsaud

com.adobe.adobeupdatedaemon

rebekahs-MacBook-Air:~ rebekah$ launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

com.microsoft.autoupdate.fba.43856

com.microsoft.Office365Service.53712

com.microsoft.Word.29600

com.adobe.PDApp.AAMUpdatesNotifier.34352.8D5AA5B6-B5CA-4A99-9794-415CE851993A

com.google.Chrome.52656

com.evernote.EvernoteHelper.45616

com.google.GoogleDrive.25376

com.github.GitHub.Conduit

com.adobe.AdobeCreativeCloud

com.google.keystone.user.agent

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

com.adobe.AAM.Scheduler-1.0

rebekahs-MacBook-Air:~ rebekah$ ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta} * L*/Fonts 2> /dev/null

/Library/Components:


/Library/Extensions:

ATTOCelerityFC8.kext

ATTOExpressSASHBA2.kext

ATTOExpressSASRAID2.kext

ArcMSR.kext

CalDigitHDProDrv.kext

HighPointIOP.kext

HighPointRR.kext

PromiseSTEX.kext

SoftRAID.kext


/Library/Frameworks:

AEProfiling.framework

AERegistration.framework

AudioMixEngine.framework

NyxAudioAnalysis.framework

PluginManager.framework

iTunesLibrary.framework


/Library/Input Methods:


/Library/Internet Plug-Ins:

AdobeAAMDetect.plugin

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

Default Browser.plugin

Flash Player.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

Silverlight.plugin

flashplayer.xpt

nsIQTScriptablePlugin.xpt


/Library/Keyboard Layouts:


/Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.adobe.AdobeCreativeCloud.plist


/Library/LaunchDaemons:

com.adobe.SwitchBoard.plist

com.adobe.adobeupdatedaemon.plist

com.adobe.fpsaud.plist

com.microsoft.office.licensing.helper.plist


/Library/PreferencePanes:

Flash Player.prefPane


/Library/PrivilegedHelperTools:

Google Drive Icon Helper

com.microsoft.office.licensing.helper


/Library/QuickLook:

iBooksAuthor.qlgenerator

iWork.qlgenerator


/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component


/Library/ScriptingAdditions:

Adobe Unit Types.osax


/Library/Spotlight:

Microsoft Office.mdimporter

iBooksAuthor.mdimporter

iWork.mdimporter


/Library/StartupItems:


/etc/mach_init.d:


/etc/mach_init_per_login_session.d:


/etc/mach_init_per_user.d:


Library/Address Book Plug-Ins:

SkypeABDialer.bundle

SkypeABSMS.bundle


Library/Fonts:


Library/Input Methods:

.localized


Library/Internet Accounts:

V1


Library/Internet Plug-Ins:

CitrixOnlineWebDeploymentPlugin.plugin

Picasa.plugin


Library/Keyboard Layouts:


Library/LaunchAgents:

.DS_Store

com.adobe.AAM.Updater-1.0.plist

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

com.google.keystone.agent.plist


Library/PreferencePanes:


Library/Services:

.localized

rebekahs-MacBook-Air:~ rebekah$ osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

iTunesHelper, Google Drive, Hotspot Shield, AdobeResourceSynchronizer, CrossOver CD Helper, EvernoteHelper

rebekahs-MacBook-Air:~ rebekah$


Ex of permissions denied and another search:

rebekahs-MacBook-Air:~ rebekah$ defaults write com.apple.finder AppleShowAllFiles TRUE

rebekahs-MacBook-Air:~ rebekah$ killall Finder

rebekahs-MacBook-Air:~ rebekah$ defaults write com.apple.finder AppleShowAllFiles TRUE

rebekahs-MacBook-Air:~ rebekah$ defaults write com.apple.finder AppleShowAllFiles TRUE

rebekahs-MacBook-Air:~ rebekah$ defaults write com.apple.finder AppleShowAllFiles FALSE

rebekahs-MacBook-Air:~ rebekah$ killall Finder

rebekahs-MacBook-Air:~ rebekah$ find "/" -name "updated.kext"

find: /.DocumentRevisions-V100: Permission denied

find: /.fseventsd: Permission denied

find: /.MobileBackups: Permission denied

find: /.Spotlight-V100: Permission denied

find: /.Trashes: Permission denied

find: /dev/fd/3: Not a directory

find: /dev/fd/4: Not a directory

find: /Library/Application Support/Apple/ParentalControls/Users: Permission denied

find: /Library/Application Support/com.apple.TCC: Permission denied

find: /Library/Caches/com.apple.Spotlight/schema.501.plist: Permission denied

find: /Library/Caches/com.apple.Spotlight/schema.502.plist: Permission denied





MacBook Air (13-inch Mid 2012), Virus, tojans, spyware

Posted on Oct 10, 2015 12:32 AM

Reply
Question marked as Best reply

Posted on Oct 10, 2015 5:05 PM

When you see a beachball cursor or the slowness is especially bad, note the exact time: hour, minute, second.

These instructions must be carried out as an administrator. If you have only one user account, you are the administrator.

Launch the Console application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

The title of the Console window should be All Messages. If it isn't, select

SYSTEM LOG QUERIES All Messages

from the log list on the left. If you don't see that list, select

View Show Log List

from the menu bar at the top of the screen.

Each message in the log begins with the date and time when it was entered. Scroll back to the time you noted above.

Select the messages entered from then until the end of the episode, or until they start to repeat, whichever comes first.

Copy the messages to the Clipboard by pressing the key combination command-C. Paste into a reply to this message by pressing command-V.

The log contains a vast amount of information, almost all of it useless for solving any particular problem. When posting a log extract, be selective. A few dozen lines are almost always more than enough.

Please don't indiscriminately dump thousands of lines from the log into this discussion.

Please don't post screenshots of log messages—post the text.

Some private information, such as your name, may appear in the log. Anonymize before posting.

When you post the log extract, you might see an error message on the web page: "You have included content in your post that is not permitted," or "The message contains invalid characters." That's a bug in the forum software. Please post the text on Pastebin, then post a link here to the page you created.

7 replies
Question marked as Best reply

Oct 10, 2015 5:05 PM in response to Bekahleen

When you see a beachball cursor or the slowness is especially bad, note the exact time: hour, minute, second.

These instructions must be carried out as an administrator. If you have only one user account, you are the administrator.

Launch the Console application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

The title of the Console window should be All Messages. If it isn't, select

SYSTEM LOG QUERIES All Messages

from the log list on the left. If you don't see that list, select

View Show Log List

from the menu bar at the top of the screen.

Each message in the log begins with the date and time when it was entered. Scroll back to the time you noted above.

Select the messages entered from then until the end of the episode, or until they start to repeat, whichever comes first.

Copy the messages to the Clipboard by pressing the key combination command-C. Paste into a reply to this message by pressing command-V.

The log contains a vast amount of information, almost all of it useless for solving any particular problem. When posting a log extract, be selective. A few dozen lines are almost always more than enough.

Please don't indiscriminately dump thousands of lines from the log into this discussion.

Please don't post screenshots of log messages—post the text.

Some private information, such as your name, may appear in the log. Anonymize before posting.

When you post the log extract, you might see an error message on the web page: "You have included content in your post that is not permitted," or "The message contains invalid characters." That's a bug in the forum software. Please post the text on Pastebin, then post a link here to the page you created.

Oct 10, 2015 5:05 PM in response to Linc Davis

Thanks so much and my apologies for dumping lines of code. Not being the most tech savvy person - I thought maybe someone could decipher what was wrong from seeing it. But, if the commands weren't relevant - it's pretty pointless. Kind of like asking an eye doctor to see what's wrong with your heart. Anyway, I'll do as you suggested.


Thanks much!

Oct 10, 2015 7:13 PM in response to Linc Davis

Hi again -


So, I went through and copied what looked like strange events. Specifically - a short log of quarantined items at the beginning. As well as things that mentioned a virtual interface, warnings, interruptions and remote services. There were a number of error logs too - but far too many to post. Please let me know if I should add a short sample here? I hope this doesn't count as a dump. Everything has the tendency to look sinister when you don't know what you are looking for.


Thanks again.



A few things quarantined:

10/9/15 9:26:41.000 PM kernel[0]: calling mpo_policy_init for Quarantine

10/9/15 9:26:41.000 PM kernel[0]: Security policy loaded: Quarantine policy (Quarantine)

10/10/15 3:58:13.000 AM kernel[0]: calling mpo_policy_init for Quarantine

10/10/15 3:58:13.000 AM kernel[0]: Security policy loaded: Quarantine policy (Quarantine)




10/9/15 9:27:00.199 PM racoon[277]: failed to bind to address fd6a:702b:3833:9d66:78e3:2ea0:13c1:7442[4500]: because interface address is/was not ready (flags 2).

10/9/15 9:27:00.000 PM kernel[0]: flow_divert_kctl_disconnect (0): disconnecting group 1

10/9/15 9:27:00.722 PM UserEventAgent[11]: Captive: CNPluginHandler en0: Authenticated

10/9/15 9:27:01.099 PM soagent[178]: Killing soagent.

10/9/15 9:27:01.100 PM NotificationCenter[181]: SOHelperCenter main connection interrupted

10/9/15 9:27:01.100 PM com.apple.dock.extra[236]: SOHelperCenter main connection interrupted

10/9/15 9:27:01.104 PM com.apple.dock.extra[236]: SOHelperCenter main connection interrupted

10/9/15 9:27:01.104 PM NotificationCenter[181]: SOHelperCenter main connection interrupted

10/9/15 9:27:01.108 PM imagent[185]: [Warning] Denying xpc connection, task does not have entitlement: com.apple.private.icfcallserver (soagent:178)

10/9/15 9:27:01.109 PM imagent[185]: [Warning] Denying xpc connection, task does not have entitlement: com.apple.private.icfcallserver (soagent:178)

10/9/15 9:27:01.584 PM com.apple.InputMethodKit.UserDictionary[283]: -[PFUbiquitySwitchboardEntryMetadata setUseLocalStorage:](760): CoreData: Ubiquity: myname~94661AA5-E035-5CB7-94E8-67E57AC4D471:UserDictionary

Using local storage: 1

10/9/15 9:27:02.270 PM com.apple.InputMethodKit.UserDictionary[283]: -[PFUbiquitySwitchboardEntryMetadata setUseLocalStorage:](760): CoreData: Ubiquity: MYNAME~94661AA5-E035-5CB7-94E8-67E57AC4D471:UserDictionary

Using local storage: 0

10/9/15 9:27:03.505 PM AirPlayUIAgent[287]: 2015-10-09 09:27:03.504680 PM [AirPlayUIAgent] Changed PIN pairing: no

10/9/15 9:27:03.507 PM AirPlayUIAgent[287]: 2015-10-09 09:27:03.506892 PM [AirPlayUIAgent] Changed PIN pairing: no

10/9/15 9:27:04.030 PM awacsd[81]: InnerStore GetWakeInfoForZone: no external port for 1986684514.members.btmm.icloud.com.

10/9/15 9:27:51.277 PM identityservicesd[186]: [Warning] Registration failed for Registration info (0x7f9d81c26c00): [Registered: NO] [Type: AppleID] [Device Name: (null)] [Service Type: com.apple.private.alloy.screensharing] [Env: (null)] [Main ID: @gmail.com] [Phone Number: @gmail.com] [AppleID: @gmail.com] [UserID: E:@gmail.com] [C2K: NO] [Push Token: <462c7673 0d2bd90d 62546cdf a870f5f3 72bf417a 8e5ef68f a66f5308 2e153cde>] [Region ID: R:US] [Base Number: +1917] [URIs: (null)] [Candidates: (

"+1917",

"appleID@icloud.com",

"myemail@gmail.com"

)] [Auth Cert: 0x0] [Reg Cert: 0x0] [Profile ID: D:1986684514] [Auth Token: (null)] [Auth User ID: (null)] [Heartbeat Date: (null)] (Error: 0)

10/9/15 9:27:51.327 PM identityservicesd[186]: [Warning] Registration failed for Registration info (0x7f9d81c26c00): [Registered: NO] [Type: AppleID] [Device Name: (null)] [Service Type: com.apple.private.alloy.screensharing] [Env: (null)] [Main ID: myemail@gmail.com] [Phone Number: @gmail.com] [AppleID: @gmail.com] [UserID: E:@gmail.com] [C2K: NO] [Push Token: <462c7673 0d2bd90d 62546cdf a870f5f3 72bf417a 8e5ef68f a66f5308 2e153cde>] [Region ID: R:US] [Base Number: +19176643957] [URIs: (null)] [Candidates: (

"My phone number",

"appleid@icloud.com",

"myemail@gmail.com"




10/10/15 12:03:10.973 AM com.apple.preferences.icloud.remoteservice[733]: Bogus event received by listener connection:

<error: 0x7fff79ba1b50> { count = 1, contents =

"XPCErrorDescription" => <string: 0x7fff79ba1e60> { length = 18, contents = "Connection invalid" }

}


10/10/15 3:58:16.000 AM kernel[0]: in func createVirtualInterface ifRole = 1

10/9/15 9:26:43.821 PM WindowServer[94]: CGXGLInitMipMap: mip map mode is on

10/9/15 9:26:43.833 PM loginwindow[64]: **DMPROXY** Found `/System/Library/CoreServices/DMProxy'.

10/9/15 9:26:43.853 PM mds[60]: (Warning) Server: No stores registered for metascope "kMDQueryScopeComputer"

10/9/15 9:26:43.903 PM locationd[66]: NBB-Could not get UDID for stable refill timing, falling back on random

10/9/15 9:26:43.931 PM systemkeychain[96]: done file: /var/run/systemkeychaincheck.done

10/9/15 9:26:43.945 PM airportd[85]: airportdProcessDLILEvent: en0 attached (up)

10/9/15 9:26:43.000 PM kernel[0]: createVirtIf(): ifRole = 1

10/9/15 9:26:43.000 PM kernel[0]: in func createVirtualInterface ifRole = 1


10/10/15 3:58:16.180 AM loginwindow[61]: **DMPROXY** Found `/System/Library/CoreServices/DMProxy'.

10/10/15 3:58:16.231 AM locationd[63]: NBB-Could not get UDID for stable refill timing, falling back on random

10/10/15 3:58:16.272 AM systemkeychain[86]: done file: /var/run/systemkeychaincheck.done

10/10/15 3:58:16.284 AM airportd[83]: airportdProcessDLILEvent: en0 attached (up)

10/10/15 3:58:16.000 AM kernel[0]: createVirtIf(): ifRole = 1

10/10/15 3:58:16.000 AM kernel[0]: in func createVirtualInterface ifRole = 1

10/10/15 3:58:16.000 AM kernel[0]: AirPort_Brcm4331_P2PInterface::init name <p2p0> role 1

10/10/15 3:58:16.000 AM kernel[0]: AirPort_Brcm4331_P2PInterface::init() <p2p> role 1

10/10/15 3:58:16.000 AM kernel[0]: Created virtif 0xffffff8014556800 p2p0

10/10/15 3:58:16.313 AM WindowServer[90]: Display 0x5b81c5c0: Unit 0; ColorProfile { 2, "Color LCD"}; TransferFormula (1.000000, 1.000000, 1.000000)

10/10/15 3:58:16.378 AM launchctl[125]: com.apple.findmymacmessenger: Already loaded

10/10/15 3:58:16.410 AM com.apple.SecurityServer[15]: Session 100004 created

10/10/15 3:58:16.486 AM loginwindow[61]: Setting the initial value of the magsave brightness level 1



10/10/15 3:58:21.180 AM quicklookd[219]: Warning: Cache image returned by the server has size range covering all valid image sizes. Binding: VariantBinding [0x1203] flags: 0x8 binding: FileInfoBinding [0x1103] - extension: webarchive, UTI: com.apple.webarchive, fileType: ???? request size:64 scale: 1

10/10/15 3:58:21.193 AM com.apple.IconServicesAgent[216]: main Failed to composit image for binding VariantBinding [0x217] flags: 0x8 binding: FileInfoBinding [0x117] - extension: txt, UTI: public.plain-text, fileType: ????.

10/10/15 3:58:21.193 AM quicklookd[219]: Warning: Cache image returned by the server has size range covering all valid image sizes. Binding: VariantBinding [0x1403] flags: 0x8 binding: FileInfoBinding [0x1303] - extension: txt, UTI: public.plain-text, fileType: ???? request size:64 scale: 1

10/10/15 3:58:21.254 AM com.apple.iCloudHelper[214]: ApplePushService: Timed out making blocking call, failed to perform call via XPC connection to 'com.apple.apsd'

10/10/15 3:58:21.365 AM WiFiKeychainProxy[177]: [NO client logger] <Nov 10 2013 18:30:13> WIFICLOUDSYNC WiFiCloudSyncEngineCreate: created...

10/10/15 3:58:21.365 AM WiFiKeychainProxy[177]: [NO client logger] <Nov 10 2013 18:30:13> WIFICLOUDSYNC WiFiCloudSyncEngineRegisterCallbacks: WiFiCloudSyncEngineCallbacks version - 0, bundle id - com.apple.wifi.WiFiKeychainProxy

10/10/15 3:58:21.544 AM com.apple.SecurityServer[15]: Session 100011 created

10/10/15 3:58:21.619 AM UserEventAgent[145]: Failed to copy info dictionary for bundle /System/Library/UserEventPlugins/alfUIplugin.plugin

10/10/15 3:58:21.640 AM lsboxd[185]: Not allowing process 175 to launch "/Users/NAME/Applications/GitHub.app/Contents/Library/LoginItems/GitHub Conduit.app" because it has not been launched previously by the user,

10/10/15 3:58:21.640 AM lsboxd[185]: Not allowing process 175 to register app "/Users/rebekah/Applications/GitHub.app/Contents/Library/LoginItems/GitHub Conduit.app" for launch.

10/10/15 3:58:21.000 AM kernel[0]: Sandbox: appleeventsd(74) deny file-read-metadata /Library/Keychains/System.keychain

10/10/15 3:58:21.000 AM kernel[0]: Sandbox: appleeventsd(74) deny file-read-metadata /Library

10/10/15 3:58:21.000 AM kernel[0]: Sandbox: appleeventsd(74) deny file-read-metadata /Library

10/10/15 3:58:21.000 AM kernel[0]: Sandbox: appleeventsd(74) deny file-read-metadata /Library

10/10/15 3:58:21.000 AM kernel[0]: Sandbox: appleeventsd(74) deny file-read-metadata /Library



10/9/15 10:24:25.000 PM kernel[0]: The USB device Apple Internal Keyboard / Trackpad (Port 2 of Hub at 0x1d180000) may have caused a wake by issuing a remote wakeup (3)

10/9/15 10:30:24.212 PM Safari[271]: /SourceCache/Accounts/Accounts-336.9/ACAccountStore.m - __60-[ACAccountStore _connectToRemoteAccountStoreUsingEndpoint:]_block_invoke - 130 - The connection to ACDAccountStore was interrupted.

10/9/15 10:30:24.239 PM com.apple.internetaccounts[224]: /SourceCache/Accounts/Accounts-336.9/ACAccountStore.m - __60-[ACAccountStore _connectToRemoteAccountStoreUsingEndpoint:]_block_invoke - 130 - The connection to ACDAccountStore was interrupted.

10/9/15 10:30:24.312 PM SocialPushAgent[177]: /SourceCache/Accounts/Accounts-336.9/ACAccountStore.m - __60-[ACAccountStore _connectToRemoteAccountStoreUsingEndpoint:]_block_invoke - 130 - The connection to ACDAccountStore was interrupted.

10/9/15 10:47:29.000 PM kernel[0]: The USB device HubDevice (Port 8 of Hub at 0x1d100000) may have caused a wake by issuing a remote wakeup (3)

10/9/15 10:47:29.000 PM kernel[0]: The USB device Apple Internal Keyboard / Trackpad (Port 2 of Hub at 0x1d180000) may have caused a wake by issuing a remote wakeup (3)

10/9/15 11:11:05.465 PM Safari[271]: [AOSAccounts] : [IsAccountKeyChainActive] : had error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Remote error : The operation couldn‚Äôt be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call))

10/9/15 11:11:05.467 PM Safari[271]: [AOSAccounts] : [IsAccountKeyChainActive] : had error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Remote error : The operation couldn‚Äôt be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call))

10/9/15 11:17:15.152 PM Finder[155]: *** remoteObjectProxyWithErrorHandler failed: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application."; {

}

10/9/15 11:17:15.447 PM Safari[271]: /SourceCache/Accounts/Accounts-336.9/ACAccountStore.m - __60-[ACAccountStore _connectToRemoteAccountStoreUsingEndpoint:]_block_invoke - 130 - The connection to ACDAccountStore was interrupted.

10/10/15 12:03:10.199 AM com.apple.preferences.icloud.remoteservice[733]: assertion failed: 13F1112: liblaunch.dylib + 25164 [A40A0C7B-3216-39B4-8AE0-B5D3BAF1DA8A]: 0x25

10/10/15 12:03:10.217 AM com.apple.preferences.icloud.remoteservice[733]: assertion failed: 13F1112: liblaunch.dylib + 25164 [A40A0C7B-3216-39B4-8AE0-B5D3BAF1DA8A]: 0x25

10/10/15 12:03:10.726 AM com.apple.preferences.icloud.remoteservice[733]: [AOSAccounts] : [IsAccountKeyChainActive] : had error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Remote error : The operation couldn‚Äôt be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call))

10/10/15 12:03:10.728 AM com.apple.preferences.icloud.remoteservice[733]: [AOSAccounts] : [IsAccountKeyChainActive] : had error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Remote error : The operation couldn‚Äôt be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call))

10/10/15 12:03:10.931 AM com.apple.preferences.icloud.remoteservice[733]: nsc_smb XPC: handle_event error : < Connection invalid >

Oct 10, 2015 8:37 PM in response to Linc Davis

Ok. I'll make sure to log it as it happens now that I know how! :-)


I forgot to mention in the post above that the quarantined items below happened a few minutes after I opened the video on the suspicious website. As well as everything marked between 9:26 and 9:27 (not asking you to sift through all those logs, just mentioning it).


Knowing that these quarantine messages appeared almost immediately after restarting the computer last night (the pop up made my computer freeze) - do they look like any malware or anything that you are familiar with?


10/9/15 9:26:41.000 PM kernel[0]: calling mpo_policy_init for Quarantine

10/9/15 9:26:41.000 PM kernel[0]: Security policy loaded: Quarantine policy (Quarantine)


Thanks!

Possible trojan or something

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.